Forum Discussion

mnb_63148's avatar
mnb_63148
Icon for Nimbostratus rankNimbostratus
Apr 02, 2014
Solved

SNAT question

If I a SNAT Pool with only 1 IP in the Member List, will Big-IP allow traffic initiated from the outside in and then translate that address to the IP in the Member List?   For example, if I have a...
  • Cory_50405's avatar
    Cory_50405
    Apr 02, 2014

    A SNAT pool will translate traffic coming through the BIG-IP bound for a resource 'behind' it. So for example:

     

    Client IP address - 10.100.100.100 Server IP address - 20.100.100.100 BIG-IP virtual server IP address - 10.10.10.10 SNAT pool member - 20.10.10.10

     

    Client will initiate a connection the virtual server IP address. The virtual server being configured with the SNAT pool will translate the source IP address of the traffic to 20.10.10.10 and send along to the server at 20.100.100.100.

     

    If for some reason a client sends traffic to the SNAT pool member (if routing is in place to allow this to happen), the BIG-IP will drop the traffic.

     

    SNAT translation will only occur when traffic is destined to the virtual server IP address to which the SNAT pool is applied.

     

Cory_50405's avatar
Cory_50405
Icon for Noctilucent rankNoctilucent
Apr 02, 2014

A SNAT pool will translate traffic coming through the BIG-IP bound for a resource 'behind' it. So for example:

 

Client IP address - 10.100.100.100 Server IP address - 20.100.100.100 BIG-IP virtual server IP address - 10.10.10.10 SNAT pool member - 20.10.10.10

 

Client will initiate a connection the virtual server IP address. The virtual server being configured with the SNAT pool will translate the source IP address of the traffic to 20.10.10.10 and send along to the server at 20.100.100.100.

 

If for some reason a client sends traffic to the SNAT pool member (if routing is in place to allow this to happen), the BIG-IP will drop the traffic.

 

SNAT translation will only occur when traffic is destined to the virtual server IP address to which the SNAT pool is applied.

 

  • mnb_63148's avatar
    mnb_63148
    Icon for Nimbostratus rankNimbostratus
    Apr 02, 2014
    Thanks, Cory. Just to be sure that I understand you correctly, let's say that there is no virtual server in play and a user initiates traffic to 20.10.10.10 (translated address for the SNAT pool), the LTM will drop the traffic and not translate to 20.100.100.100 (the server)? The reason why I am asking is because we have some traffic that routes through the LTM for the sole purpose of getting translated/SNAT'd to a public IP in order to talk to websites and other resources on the Internet. I just want to ensure that a user from the outside cannot initiate traffic to 20.10.10.10 (translated address) and reach 20.100.100.100 (the server). Thanks.
  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Apr 02, 2014
    Correct, traffic destined to the SNAT pool address 20.10.10.10 will be dropped by the LTM. So it sounds like for your forward proxy setup, you have a forwarding virtual server with a different SNAT pool to ensure return traffic flow comes back through the LTM. For the same reason as before, traffic initiated from the outside bound for your SNAT pool applied to your forwarding virtual server will be dropped. The reverse translation will not be done by the LTM. It only works if the traffic arrives on the virtual server IP address.
  • mnb_63148's avatar
    mnb_63148
    Icon for Nimbostratus rankNimbostratus
    Apr 02, 2014
    Thanks, Cory. We do not have a forwarding virtual server set up. We just have SNAT pools in place so that a server on a private network can initiate traffic to an address on the Internet. The SNAT gives the server a public IP. Thanks for answering my question.
  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Apr 02, 2014
    I see. Bad assumption on my part.
  • mnb_63148's avatar
    mnb_63148
    Icon for Nimbostratus rankNimbostratus
    Apr 04, 2014
    No problem. Thanks for answering my question!